The hype, and the reality, behind advanced persistent threats

In a session titled “Cyberwar and APT: Hype and FUD”, Pescatore began by reflecting that, about every five years or so, the threats organizations face outpace their ability to combat them, largely because of developments in technology and the demands business place on their delivery. But what exactly are these new-fangled concepts of cyberwar and advanced persistent threat (APT), and how real or new are these threats? These were just some of the questions that the Gartner VP and analyst sought to answer for the audience.

“There is no such thing as the unstoppable attack in cybersecurity”, Pescatore claimed. “Every attack, in order to succeed, needs to exploit a vulnerability”. He jokingly then added that we could prevent attacks, if only we could remove all the vulnerabilities – a Pollyannaish-type quip that got quite a rise out of the crowd gathered to hear him speak.

While IT departments have faced all manner of attacks over the last decade plus, Pescatore says today’s new breed of attacks differ from their predecessors in their being financially motivated and supported by large organizations, whether they be criminal rings or nation-states.

Furthermore, due to the explosion in social media participation, organizations find themselves far more susceptible to narrow, targeted attacks in today’s environment. This widespread participation by executives and other employees on social media sites, and the information that can be gathered through them, makes it far easier for attackers to engage in stealthy, narrowly focused attacks that may go undetected for a long period of time – the hallmark of an APT.

Pescatore defines an APT with uncommon brevity – an attack that penetrates your current level of protection, takes long for you to detect, and causes meaningful harm. When defined in this manner, it really signifies a new term for an old practice. APTs are not the preserve of state-to-state cyberwarfare, or industrial espionage, he contended; it’s simply the compromise of an organization’s security defenses that takes advantage of a threat they are not monitoring for, over an extended period of time, that causes some type of damage.

And not all APTs make use of zero-day vulnerabilities, yet some like Stuxnet do. What an APT does is generally take advantage of a vulnerability that a particular organization may not typically look for. For example, zero-day attacks that were previously used in financially motivated attacks being re-directed toward non-financial organizations.

In the Gartner analyst’s opinion, the threat of APTs and cyberwar-like attacks are secondary in impact to the more typical financially motivated targeted attacks organizations face today, at least for the next four years or so. Cyberwar-like attacks, he believes, are still a long way off, perhaps not taking form in a widespread sense until late into the second half of the 21st century.

“When some nation-state wants to do damage to another nation-state, personnel influence, bribery, and getting to unsatisfied people in key positions in government agencies will still be the number one cause of cyber damage rather than long-lived [cyber] attacks, because this is still the way we see the vast majority of nation-to-nation espionage and economic warfare happening and succeeding”, Pescatore asserted.

APT Defense

Completely preventing an APT, he continued, is at best theoretical and only possible under the most extreme of circumstances, many of which are neither feasible nor desired. First would be getting rid of software and people, in conjunction with strong lockdown controls (near-infallible authentication, encryption for all data) and impenetrable firewalls.

In a more practical sense, Pescatore shared several strategies to protect against APTs. First involves the category he labeled as “due diligence”, including vulnerability/patch/configuration management, intrusion prevention systems, and privileged access management. Second was hardening, which includes application whitelisting, network access control, and vulnerability avoidance (for hardware).

The final aspect of robust APT mitigation comprises what he called “lean forward” strategy components – among these are sandboxing, situational awareness, and network/computer forensics capabilities.

“What we don’t see among these recommendations is security through obscurity”, said Pescatore, because this type of strategy is no longer relevant in today’s environment. The tools labeled as “lean forward”, he continued, are certainly the more advanced, and in many cases are the more expensive security technologies now available. However, these tools, says Pescatore, will become ever-more relevant in the evolving computing environment.

“When you look at this world where your users can be anywhere, using any type of device, we are losing, in a very big way, our ability to depend on endpoint security software”, he concluded, and the same trend applies to server-based security software.

He closed his recommendations with one pearl of wisdom, what he called “the horrible part of security”: “If you see something is wrong, and you see something is at risk, then you have to be prepared to do something about it. If you don’t do anything about it, then you have a whole different type of legal culpability.”